Hi Sudipto, There is a decorator that needs to be installed via the isis.properties file.
isis.reflector.facets.include=org.apache.isis.runtimes.dflt.runtime.authorization.AuthorizationFacetFactoryForDfltRuntime See [1] - but there may still be some issues - I used the file authorizor a long time ago for a demo (when it worked), but I now use my own authentication service that is called by the visible* and disabled* methods of any actions whose state or visibility I need to control. Regards, Kevin [1] https://issues.apache.org/jira/browse/ISIS-211 On 11 Jun 2012 at 14:53, Sudipto Majumder wrote: > Well, I got hold of a isis-security pdf and following that this is what I > did. But still I could not achieve what I want with authorization. Please > comment if I am going in the right direction. > > I have a service class *EmployeeSql* with two actions *newEmployee(String > name, String designation, String department)* and *findEmployee()*. > I want two roles namely *ADMIN* and *USER* so that only ADMIN can see the > menu "New Employee". > As I have mentioned in my earlier mail that I am now able to use SQL > authentication, I added a column called *roles* in that SQL table and added > this property in *isis.properties* file. > *isis.authentication.sql.roleField=roles* > > Now I am still using file authorization. > *isis.authorization=file* > > In authorization_file.properties I have added the following. > *isis.authorization.file.whitelist=authorization_file.allow > isis.authorization.file.blacklist=authorization_file.disallow* > > In authorization_file.allow file I have added > *EmployeeSql#findEmployee():ADMIN|USER* > > And in authorization_file.disallow file I have added > * > EmployeeSql#newEmployee(java.lang.String,java.lang.String,java.lang.String):USER > * > > But when I login with either of the users with ADMIN and USER role, I am > able to see both the menu links. Can you please suggest where I am going > wrong. > > Thanks, > Sudipto. > On Mon, Jun 11, 2012 at 11:22 AM, Sudipto Majumder > <[email protected]>wrote: > > > Kevin, I am not too sure that I could fully follow you on this. I was > > already using *isis.persistor=sql* and had the following sql dependencies > > in my pom. > > * <dependency> > > <groupId>org.apache.isis.runtimes.dflt.objectstores</groupId> > > <artifactId>sql-impl</artifactId> > > <version>${isis.version}</version> > > </dependency> > > > > <dependency> > > <groupId>mysql</groupId> > > <artifactId>mysql-connector-java</artifactId> > > <version>5.1.6</version> > > </dependency>* > > > > But with that things were not working. Did you mean this as sql-os? Sorry > > if I got you all wrong. > > > > However, from Dan's mail I realized that the sql security class was not in > > classpath. I added the following dependency in my pom and things are > > working now. I am just mentioning this here so that others can get a quick > > pointer in the future. > > > > *<dependency> > > <groupId>org.apache.isis.security</groupId> > > <artifactId>sql</artifactId> > > <version>${isis.version}</version> > > </dependency>* > > > > So, authentication is all good at least with database. Coming back to > > authorization, can you please guide me on that a little. > > > > Suppose, there are two actions for a domain class, one create and one > > search, if I want to show search to all but create to a specific role, how > > do I accomplish that? > > > > I am not too clear about role1, role2, role3 and what if I want to have my > > own roles. A little help on this will be much appreciated. > > > > Thanks, > > Sudipto. > > > > However, from Dan's response I had the idea t > > > > On Fri, Jun 8, 2012 at 9:43 PM, Dan Haywood > > <[email protected]>wrote: > > > >> Just to add to Kevin's reply... > >> > >> The way that Isis loads components is using the InstallerLookupDefault > >> class. When it reads the following: > >> > >> isis.authentication=sql > >> > >> then this is ultimately read by > >> InstallerLookupDefault#authenticationManagerInstaller() method. > >> > >> If you trace it through you'll see that the method reads the key value > >> "sql" and looks for a component that implements > >> AuthenticationManagerInstaller interface. > >> > >> The available components are listed in the installer-registry.properties > >> file, that lives in oai.runtimes.dflt:runtime module, in the > >> oai.runtimes.dflt.runtime package (src/main/resources). > >> > >> One of the components listed there > >> is > >> org.apache.isis.security.sql.authentication.SqlAuthenticationManagerInstaller; > >> if present on the classpath then this will indicate that its name is > >> "sql", > >> and thus be loaded by InstallerLookupDefault. > >> > >> If the component is not on the classpath, then the entry in the > >> installer-registry.properties file is ignored. > >> > >> One day we might chuck all this out and just use CDI, but for now it works > >> and is reasonably straight-forward. > >> > >> NB: none of the above alters Kevin's advice: you just need to make sure > >> that the sql-os modules are on your classpath by adding them into your > >> pom. > >> > >> HTH, > >> Dan > >> ~~~~~~~ > >> > >> On 8 June 2012 12:46, Sudipto Majumder <[email protected]> wrote: > >> > >> > Okay, I found some info on the website. I was trying to use sql > >> > authentication since ldap server is not yet available. I used the > >> following > >> > configuration in isis.properties - > >> > > >> > *isis.authentication=sql > >> > isis.authentication.sql.jdbc.driver=com.mysql.jdbc.Driver > >> > > >> > > >> isis.authentication.sql.jdbc.connection=jdbc:mysql://localhost:3306/tutorial > >> > isis.authentication.sql.jdbc.user=*** > >> > isis.authentication.sql.jdbc.password=*** > >> > > >> > isis.authentication.sql.userTable=user_authentication > >> > isis.authentication.sql.userNameField=username > >> > isis.authentication.sql.passwordField=password > >> > * > >> > But getting the following error while deploying - > >> > > >> > *Error in custom provider, > >> > org.apache.isis.core.commons.factory.InstanceCreationException: Failed > >> to > >> > load installer; named/class:'sql' (of type > >> > > >> > > >> org.apache.isis.core.runtime.authentication.AuthenticationManagerInstaller)* > >> > > >> > Where I am going wrong? I'm using isis version > >> > *0.3.0-incubating-SNAPSHOT*and file authentication is working fine for > >> > me. > >> > > >> > Thanks, > >> > Sudipto. > >> > On Fri, Jun 8, 2012 at 11:07 AM, Sudipto Majumder < > >> [email protected] > >> > >wrote: > >> > > >> > > Hi Dan, > >> > > > >> > > After some initial POC success, there is an actual opportunity of > >> using > >> > > Isis framework in a rapid development project. We have little time to > >> > > ponder on whether we should use Isis or go for some other traditional > >> > > framework. The use cases for this project is not very complex and > >> hence > >> > we > >> > > were thinking of Isis in the first place. But before we can decide, we > >> > need > >> > > to be sure of the feasibility of a few facts. > >> > > > >> > > And the first thing to look into is the authentication and > >> authorization > >> > > part. So, far I have only used and seen file based authentication but > >> in > >> > > the framework code I noticed some classes for LDAP authentication. > >> So, my > >> > > first question is can we integrate easily with an LDAP for the > >> > > authentication part? If yes, is there any documentation available on > >> the > >> > > same? > >> > > As for authorization, we need to show/hide some service and menu links > >> > > based on roles and these roles would be maintained in application > >> > database. > >> > > So this brings up to my second question, whether that can be achieved > >> or > >> > > not. In the password files I noticed some mention of roles but did not > >> > > understand much about that. > >> > > > >> > > I would really appreciate if you can kindly comment on these items. > >> > > > >> > > Thanks, > >> > > Sudipto. > >> > > > >> > > >> > > > > > -- Kevin Meyer, PhD, Pr.Sci.Nat KMZ P.O. Box 9822, Sharon Park, South Africa. Tel: +27 11 363 2001 Cell: +27 83 346 3045
